Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
5
Replies

ASA-8.4(3)

Go to solution
Anukalp S
Level 1
Level 1

‎05-29-2013 08:09 AM - edited ‎03-11-2019 06:50 PM

Hello..

We have DMZ interface on ASA 5510. A L2 switch is connected to DMZ interface and all DMZ servers are connected to L2 switch.

Everything was working fine on 8.2(5). Recently we have upgraded 8.4(3) and after upgardation we are finding that DMZ server doen't have arp of another DMZ server mac address in its arp table but it has arp of firewall DMZ interface. This is causing reachability issue on b/w DMZ servers.

Also i have seen on L2 switch arp of server is showing ASA dmz interface.

I am confused whether it is becoz of ASA upgradation.

Any help on this would be really appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Anukalp S

‎05-30-2013 07:39 AM

Hi,

So it seems that Proxy ARP was indeed the problem. In other words the ASA was causing problem for the connections between hosts in the same network. I guess it was replying to the ARP request before the actual hosts where and caused steady problems in the communications.

I am not sure why this wasnt causing problems earlier and I doubt anyone here can unless they have debugged the situation. I personally always disable proxy arp on ASAs local interface, especially if the ASA is directly the gateway of a subnet without any inbetween routers.

I am not really able to say much about the software 8.4(3) as I have never used the mentioned software version. Specifically for the reason that there is a problem with ARP when you are using multiple networks for NAT on a WAN interafe for example.

I would personally probably go straigth to the 8.4(5) software, thought there is also 8.4(6) and naturally there are 9.0(2) and 9.1(2) available also.

You can always check the realease notes of different ASA software version and see the Open Caveats section to see if there is still some unsolved bug that might cause problem with your environment. Naturally there might be bugs that arent even listed there.

Here you can see all the Release Notes for ASA softwares

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Please do take the time to mark the reply as the correct answer and rate helpfull answers

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-29-2013 08:20 AM

Hi,

Usually the problems related to ARP on a L2 segment directly connected to one ASA interface are related to the fact that the ASA has the Proxy ARP enabled for that interface and therefore might reply to an ARP request of a host even though it doesnt own the IP/MAC.

Disabling the Proxy ARP is done with the command

sysopt noproxyarp

I mean there shouldnt really be many things that could prevent the servers located in the same network not seeing eachother.

The software 8.4(3) did have a very considerable ARP related problem though. The most common problem was in a situation where you for example had 2 public subnets from an ISP. Other of these public subnets was configured on the "outside" interface of the ASA and the other was used for NAT configurations on the "outside" also.

Update from 8.4(2) (for example) to 8.4(3) made it so that ASA would no more answer to ARP request if the IP address/network wasnt a directly connected network for the ASA.

This could be corrected with routing changes on the ISP side usually or by upgrading to 8.4(5)

But to be honest I am not sure if either of them relate to your problem.

The first thing I mentioned might be more close to your description but that would usually mean that your servers would see a marking in the ARP table but with the MAC address of the ASA.

I also wonder about your update. Did you convert the configuraitons manually or just booted the ASA to new software? I just wonder as there is a BIG change related to NAT configurations for example on the 8.2 to 8.3 software level "jump".

- Jouni

0 Helpful

Go to solution
Anukalp S
Level 1
Level 1
In response to Jouni Forss

‎05-29-2013 08:38 AM

Hi Jouni..

Actually my problem with arp of DMZ locally ip not with public ip. A server in DMZ segment doesn't show mac in arp table of another server but shows mac of DMZ interface. Also on L2 swith we find same. On L2 switch  it shows mac of DMZ interface although ideally mac should be of server in arp table if we are checking for this server.

Also we didnt convert configuration, we rebooted ASA with 8.4(3).

Currently i have "no sysopt noproxyarp DMZ" configured on ASA.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Anukalp S

‎05-29-2013 08:46 AM

Hi,

Basically I think the problem related to the servers not being able to see the ARP of the other host on the same network shouldnt be due to ASA to my understanding. (Since the ASA cant really block them but could reply to an ARP request)

To command "no sysopt noproxyarp DMZ" means that the ASA has Proxy ARP enabled and might answer to ARP requests for IP addresses it doesnt "own"

- Jouni

0 Helpful

Go to solution
Anukalp S
Level 1
Level 1
In response to Jouni Forss

‎05-30-2013 07:33 AM

Hi Jouni..

I did "sysopt noproxyarp DMZ" on ASA and now DMZ servers started talking to each others. And also now arp entry in table in a server reflects of another server mac and it is not showing DMZ interface mac now as earlier.

I am surprised that with "no sysopt noproxyarp DMZ" command evertthing was working with 8.2(5) but issue faced after upgradation to 8.4(3).

Could you pls let me know what else flaws is in 8.4(3) since if there are some more bugs then i have to go with 8.4(5).

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Anukalp S

‎05-30-2013 07:39 AM

Hi,

So it seems that Proxy ARP was indeed the problem. In other words the ASA was causing problem for the connections between hosts in the same network. I guess it was replying to the ARP request before the actual hosts where and caused steady problems in the communications.

I am not sure why this wasnt causing problems earlier and I doubt anyone here can unless they have debugged the situation. I personally always disable proxy arp on ASAs local interface, especially if the ASA is directly the gateway of a subnet without any inbetween routers.

I am not really able to say much about the software 8.4(3) as I have never used the mentioned software version. Specifically for the reason that there is a problem with ARP when you are using multiple networks for NAT on a WAN interafe for example.

I would personally probably go straigth to the 8.4(5) software, thought there is also 8.4(6) and naturally there are 9.0(2) and 9.1(2) available also.

You can always check the realease notes of different ASA software version and see the Open Caveats section to see if there is still some unsolved bug that might cause problem with your environment. Naturally there might be bugs that arent even listed there.

Here you can see all the Release Notes for ASA softwares

http://www.cisco.com/en/US/products/ps6120/prod_release_notes_list.html

Please do take the time to mark the reply as the correct answer and rate helpfull answers

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card